ATLAS is one of my dreams coming to fruition. I love data, and I love a global view. Watching and measuring the recent Nirbot activity is the sort of thing is what I love about it, and I think it’s something that other people love about it.
Last weekend, the weekend of the 14th, Nirbot rolled the MS DNS RPC exploits into the botnet. We saw this as a sudden uptick in the attacks around 22:30 GMT that Sunday night, and careful triangulation of the data from several sources suggests that our initial theories were correct. Takedown efforts of the “rofflewaffles.us” domain began, and the efforts met with quick success. How quick? Have a look at the MSFT DNS RPC interface attacks we were tracking over the past week. BAM! Huge drop off, just as fast as it began, on Tuesday at about 14:00 GMT.
Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.
The MS DNS exploits rose quickly into the ATLAS top 10 attacks, and quickly fell out once Nirbot was neutered. The Symantec attacks, which had been holding onto a steady first place in global attack activity, are now only in the top 5. A huge change in the past week, and some major efforts to get the Internet cleaned up. If anyone doubts real progress in botnets, they should look at this as a case study of getting it right (albeit belatedly).